rep+ is a lightweight Chrome DevTools extension inspired by Burp Suite's Repeater, now supercharged with AI. I often need to poke at a few requests without spinning up the full Burp stack, so I built this extension to keep my workflow fast, focused, and intelligent with integrated LLM support.

• Features
• Quick Start
• Installation
• Permissions & Privacy
• Limitations
• Star History
• Found a Bug or Issue?
• ❤️ Support the Project

• No proxy setup; works directly in Chrome (no CA certs needed).
• Capture every HTTP request and replay with modified method, headers, or body.
• Multi-tab capture (optional permission) with visual indicators 🌍 and deduplication.
• Clear workspace quickly; export/import requests as JSON for sharing or later reuse.

• Hierarchical grouping by page and domain (first-party prioritized).
• Third-party detection and collapsible groups; domain badges for quick context.
• Starring for requests, pages, and domains (auto-star for new matches).
• Timeline view (flat, chronological) to see what loaded before a request.
• Filters: method, domain, color tags, text search, regex mode.

• Pretty / Raw / Hex views; layout toggle (horizontal/vertical).
• Converters: Base64, URL encode/decode, JWT decode, Hex/UTF-8.
• History, undo/redo, and syntax highlighting for requests/responses.
• Context menu helpers on the request editor:
  • Convert selected text (Base64, URL encode/decode, JWT decode).
  • Copy as full HTTP request in multiple languages: curl, PowerShell (Invoke-WebRequest), Python (requests), and JavaScript fetch.
• Screenshot editor for request/response pairs: full-content capture, side‑by‑side or stacked layout, zoom, highlight and black-box redaction, resizable/movable annotations, keyboard delete, and undo/redo for all edits.

• Bulk replay with 4 attack modes: Sniper, Battering Ram, Pitchfork, Cluster Bomb.
• Mark positions with §, configure payloads, pause/resume long runs.
• Response diff view to spot changes between baseline and attempts.

• Unified Extractor: secrets and endpoints from captured JS.
• Secret Scanner: entropy + patterns with confidence scores; pagination and domain filter.
• Endpoint Extractor: full URLs, relative paths, GraphQL; method detection; one-click copy (rebuilds base URL).
• Response Search: regex support, match preview, pagination, domain filter.

• Explain Request (Claude/Gemini) with streaming responses.
• Suggest Attack Vectors: request + response analysis; auto-send if no response; payload suggestions; reflections/errors/multi-step chains; fallback to request-only with warning.
• Context menu “Explain with AI” for selected text.
• Attack Surface Analysis per domain: categorization (Auth/Payments/Admin/etc.), color-coded icons, toggle between list and attack-surface view.
• Multi-provider support (Claude/Gemini).
• Export AI outputs as Markdown or PDF to save RPD/TPM.

• Light/dark theme with smooth transitions.
• Request color tags and filters.
• Syntax highlighting for JSON/XML/HTML.

1. Open Chrome DevTools → “rep+” tab.
2. Browse: requests auto-capture.
3. Click a request: see raw request/response immediately.
4. Edit and “Send” to replay; use AI buttons for explain/attack suggestions.
5. Use timeline, filters, and bulk replay for deeper testing.

1. Clone the repository:

   git clone https://github.com/bscript/rep.git

2. Open Chrome Extensions:
   • Navigate to chrome://extensions/ in your browser.
   • Enable Developer mode (toggle in the top right corner).
3. Load the Extension:
   • Click Load unpacked.
   • Select the rep folder you just cloned.
4. Open DevTools:
   • Press F12 or right-click -> Inspect.
   • Look for the rep+ tab (you might need to click the >> overflow menu).

This combo makes rep+ handy for bug bounty hunters and vulnerability researchers who want Burp-like iteration without the heavyweight UI. Install the extension, open DevTools, head to the rep+ panel, and start hacking. 😎

If you use a local model (e.g., Ollama) you must allow Chrome extensions to call it, otherwise you’ll see 403/CORS errors.

1. Stop any running Ollama instance.
2. Start Ollama with CORS enabled (pick one):
   • Allow only Chrome extensions:

     OLLAMA_ORIGINS="chrome-extension://*" ollama serve

   • Allow everything (easier for local dev):

     OLLAMA_ORIGINS="*" ollama serve

3. Verify your model exists (e.g., gemma3:4b) with ollama list.
4. Reload the extension and try again. If you still see 403, check Ollama logs for details.

• Optional: webRequest + <all_urls> only when you enable multi-tab capture.
• Data: Stored locally; no tracking/analytics.
• AI: Your API keys stay local; request/response content is sent only to the provider you choose (Claude/Gemini) when you invoke AI features.

rep+ runs inside Chrome DevTools, so:

• No raw HTTP/1 or malformed requests (fetch() limitation)
• Some headers can’t be overridden (browser sandbox)
• No raw TCP sockets (no smuggling/pipelining tests)
• DevTools panel constraints limit certain UI setups

rep+ is best for quick testing, replaying, and experimenting — not full low-level HTTP work.

If you encounter any bugs, unexpected behavior, or have feature requests, please help me improve rep+ by opening an issue here.
I’ll do my best to address it as quickly as possible! 🙏

I maintain rep+ alone, in my free time.
Sponsorship helps me keep improving the extension, adding new features, and responding to issues quickly.

If rep+ saved you time during testing, development, or bug bounty work, please consider supporting the project.
Every dollar helps. ❤️